Archive for May, 2017

Chuck Leaver – At Ziften We Can Assist You With The WannCry Ransomware Problem

Written By Michael Vaughn And Presented By Chuck Leaver Ziften CEO


Answers To Your Concerns About WannaCry Ransomware

The WannaCry ransomware attack has infected more than 300,000 computers in 150 countries up until now by making use of vulnerabilities in Microsoft’s Windows operating system.
In this brief video Chief Data Scientist Dr. Al Hartmann and I talk about the nature of the attack, as well as how Ziften can assist companies safeguard themselves from the vulnerability known as “EternalBlue.”.

As pointed out in the video, the problem with this Server Message Block (SMB) file sharing service is that it’s on many Windows operating systems and discovered in most environments. However, we make it easy to determine which systems in your environment have actually or have not been patched yet. Notably, Ziften Zenith can also from another location disable the SMB file-sharing service totally, giving companies important time to ensure that those machines are effectively patched.

If you want to know more about Ziften Zenith, our 20 minute demo includes an assessment with our professionals around how we can help your company avoid the worst digital catastrophe to strike the internet in years.

Chuck Leaver – How To Evaluate Next Gen Endpoint Security Services

Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften


The End Point Security Buyer’s Guide

The most common point for a sophisticated consistent attack or a breach is the end point. And they are certainly the entry point for many ransomware and social engineering attacks. Making use of endpoint protection products has actually long been thought about a best practice for protecting endpoints. Regrettably, those tools aren’t keeping up with today’s danger environment. Advanced threats, and truth be told, even less advanced dangers, are often more than sufficient for deceiving the average worker into clicking something they should not. So organizations are looking at and examining a wide variety of next-gen endpoint security (NGES) services.

With this in mind, here are ten suggestions to think about if you’re looking at NGES solutions.

Suggestion 1: Begin with the end in mind

Do not let the tail wag the dog. A risk decrease method should always begin by assessing issues and then trying to find possible solutions for those problems. But all frequently we get fascinated with a “shiny” new innovation (e.g., the most recent silver bullet) and we wind up attempting to shoehorn that technology into our environments without completely evaluating if it fixes a comprehended and identified issue. So exactly what problems are you attempting to resolve?

– Is your existing end point security tool failing to stop risks?
– Do you require better visibility into activity on the endpoint?
– Are compliance requirements mandating constant endpoint monitoring?
– Are you trying to decrease the time and expense of incident response?

Specify the problems to attend to, and then you’ll have a measuring stick for success.

Idea 2: Know your audience. Exactly who will be using the tool?

Comprehending the issue that needs to be resolved is a crucial primary step in understanding who owns the issue and who would (operationally) own the service. Every functional team has its strengths, weaknesses, choices and prejudices. Specify who will need to use the solution, and others that might benefit from its use. Maybe it’s:

– Security group,
– IT operations,
– The governance, risk and compliance (GRC) group,
– Help desk or end user assistance team,
– Or perhaps the server group, or a cloud operations group?

Idea 3: Know what you mean by end point

Another often ignored early step in specifying the problem is defining the endpoint. Yes, all of us used to understand what we meant when we stated endpoint but today end points are available in a lot more varieties than before.

Sure we wish to safeguard desktops and laptops however how about mobile devices (e.g. phones and tablets), virtual endpoints, cloud based end points, or Internet of Things (IoT) devices? And how about your servers? All these devices, naturally, are available in multiple flavors so platform support needs to be resolved also (e.g. Windows only, Mac OSX, Linux, etc?). Also, think about assistance for endpoints even when they are working remote, or are working offline. Exactly what are your needs and what are “great to haves?”

Suggestion 4: Start with a structure of constant visibility

Constant visibility is a fundamental capability for attending to a host of security and operational management problems on the endpoint. The old saying holds true – that you cannot manage what you cannot see or determine. Even more, you cannot protect what you can’t appropriately manage. So it needs to begin with constant or all-the-time visibility.

Visibility is fundamental to Management and Security

And think about what visibility means. Enterprises require one source of reality that at a minimum monitors, stores, and evaluates the following:

– System data – events, logs, hardware state, and file system information
– User data – activity logs and behavior patterns
– Application data – characteristics of installed apps and usage patterns
– Binary data – attributes of set up binaries
– Procedures data – tracking details and data
– Network connection data – stats and internal behavior of network activity on the host

Pointer 5: Keep track of your visibility data

End point visibility data can be kept and evaluated on premise, in the cloud, or some combination of both. There are advantages to each. The proper method differs, but is usually driven by regulative requirements, internal privacy policies, the end points being monitored, and the total expense considerations.

Know if your organization needs on-premise data retention

Know whether your company enables cloud based data retention and analysis or if you are constrained to on premise solutions only. Within Ziften, 20-30% of our customers keep data on premise just for regulatory factors. However, if lawfully a choice, the cloud can provide cost advantages (among others).

Pointer 6: Know what is on your network

Comprehending the problem you are aiming to solve needs comprehending the assets on the network. We find that as many as 30% of the end points we initially discover on clients’ networks are un-managed or unidentified devices. This clearly creates a huge blind spot. Decreasing this blind spot is an important best practice. In fact, SANS Critical Security Controls 1 and 2 are to carry out a stock of licensed and unauthorized devices and software applications attached to your network. So try to find NGES solutions that can fingerprint all connected devices, track software stock and usage, and perform on-going continuous discovery.

Tip 7: Know where you are exposed

After figuring out what devices you have to monitor, you have to make certain they are running in up to date setups. SANS Critical Security Controls 3 advises guaranteeing safe and secure configurations tracking for laptops, workstations, and servers. SANS Critical Security Controls 4 advises enabling continuous vulnerability assessment and remediation of these devices. So, look for NGES services that supply all the time tracking of the state or posture of each device, and it’s even of more benefit if it can help implement that posture.

Likewise look for services that provide continuous vulnerability assessment and removal.

Keeping your total end point environment solidified and free of crucial vulnerabilities prevents a substantial amount of security problems and gets rid of a great deal of backend pressure on the IT and security operations teams.

Pointer 8: Cultivate continuous detection and response

An important end goal for lots of NGES services is supporting constant device state monitoring, to make it possible for efficient risk or event response. SANS Critical Security Control 19 suggests robust incident response and management as a best practice.

Look for NGES services that provide all-the-time or constant danger detection, which leverages a network of worldwide threat intelligence, and multiple detection methods (e.g., signature, behavioral, machine learning, etc). And search for event response services that assist focus on identified risks and/or concerns and provide workflow with contextual system, application, user, and network data. This can assist automate the suitable response or next actions. Lastly, understand all the response actions that each service supports – and search for a solution that supplies remote access that is as close as possible to “sitting at the end point keyboard”.

Idea 9: Consider forensics data collection

In addition to event response, organizations should be prepared to deal with the requirement for forensic or historical data analysis. The SANS Critical Security Control 6 recommends the maintenance, monitoring and analysis of all audit logs. Forensic analysis can take lots of forms, but a structure of historic endpoint tracking data will be essential to any examination. So try to find solutions that preserve historical data that permits:

– Forensic tasks consist of tracing lateral danger motion through the network gradually,
– Pinpointing data exfiltration efforts,
– Determining origin of breaches, and
– Determining appropriate remediation actions.

Pointer 10: Tear down the walls

IBM’s security group, which supports an impressive community of security partners, estimates that the average business has 135 security tools in situ and is dealing with 40 security suppliers. IBM clients certainly skew to big enterprise however it’s a typical refrain (complaint) from organizations of all sizes that security solutions do not integrate properly.

And the complaint is not simply that security services don’t play well with other security services, but also that they do not constantly integrate well with system management, patch management, CMDB, NetFlow analytics, ticketing systems, and orchestration tools. Organizations need to consider these (and other) integration points along with the supplier’s willingness to share raw data, not just metadata, through an API.

Bonus Tip 11: Plan for customizations

Here’s a bonus tip. Presume that you’ll wish to personalize that shiny brand-new NGES service soon after you get it. No solution will satisfy all of your requirements right out of the box, in default setups. Find out how the solution supports:

– Customized data collection,
– Notifying and reporting with customized data,
– Customized scripting, or
– IFTTT (if this then that) functionality.

You understand you’ll desire new paint or brand-new wheels on that NGES service quickly – so make certain it will support your future modification jobs easy enough.

Look for assistance for easy modifications in your NGES solution

Follow the bulk of these tips and you’ll certainly prevent a lot of the typical mistakes that pester others in their assessments of NGES solutions.

Chuck Leaver – Nobody Will Protect Everything End To End Better Than Ziften

Written By Ziften CEO Chuck Leaver


Do you wish to handle and safeguard your end points, your data center, your network and the cloud? Well Ziften can provide the ideal solution for you. We gather data, and allow you to correlate and use that data to make choices – and remain in control over your enterprise.

The details that we obtain from everyone on the network can make a real world difference. Think about the inference that the 2016 U.S. elections were influenced by cyber criminals in another country. If that’s the case, cyber criminals can do just about anything – and the idea that we’ll settle for that as the status quo is simply ridiculous.

At Ziften, we believe the best method to combat those hazards is with higher visibility than you’ve ever had. That visibility goes across the entire business, and connects all the major players together. On the back end, that’s genuine and virtual servers in the data center and the cloud. That’s infrastructure and applications and containers. On the other side, it’s notebooks and desktop computers, irrespective of how and where they are linked.

End-to-end – that’s the believing behind everything at Ziften. From end point to the cloud, right the way from a web browser to a DNS server. We tie all that together, with all the other parts to offer your company a total solution.

We likewise capture and store real time data for as much as 12 months to let you understand what’s occurring on the network right now, and supply historical trend analysis and warnings if something changes.

That lets you discover IT faults and security concerns immediately, as well as be able to ferret out the origin by looking back in time to uncover where a breach or fault might have initially occurred. Active forensics are a total requirement in this business: After all, where a breach or fault triggered an alarm may not be where the problem started – or where a hacker is operating.

Ziften supplies your IT and security teams with the visibility to understand your present security posture, and determine where improvements are needed. Non-compliant endpoints? Found. Rogue devices? These will be discovered. Penetration off-network? This will be detected. Obsolete firmware? Unpatched applications? All found. We’ll not just help you discover the problem, we’ll help you repair it, and make certain it stays repaired.

End-to-end IT and security management. Real time and historic active forensics. In the cloud, offline and onsite. Incident detection, containment and response. We’ve got it all covered. That’s what makes Ziften much better.


Chuck Leaver – Monitoring Cloud Activity With Enhanced NetFlow

Written by Roark Pollock and Presented by Ziften CEO Chuck Leaver


According to Gartner public cloud services market went beyond $208 billion in 2016. This represented about a 17% increase year over year. Not bad when you consider the ongoing issues most cloud customers still have relating to data security. Another especially interesting Gartner finding is the common practice by cloud clients to contract services to numerous public cloud service providers.

According to Gartner “most companies are currently utilizing a combination of cloud services from different cloud providers”. While the commercial reasoning for the use of numerous suppliers is sound (e.g., avoiding vendor lock in), the practice does develop additional intricacy inmonitoring activity across an organization’s increasingly dispersed IT landscape.

While some companies support more superior visibility than others (for example, AWS CloudTrail can monitor API calls throughout the AWS infrastructure) organizations need to understand and resolve the visibility problems related to moving to the cloud regardless of the cloud service provider or companies they work with.

Sadly, the ability to monitor application and user activity, and networking communications from each VM or endpoint in the cloud is limited.

Irrespective of where computing resources reside, companies must respond to the questions of “Which users, machines, and applications are interacting with each other?” Organizations require visibility across the infrastructure in order to:

  • Quickly identify and prioritize problems
  • Speed source analysis and identification
  • Lower the mean-time to fix issues for end users
  • Quickly determine and get rid of security hazards, reducing total dwell times.

Conversely, poor visibility or bad access to visibility data can lower the efficiency of current management and security tools.

Companies that are familiar with the maturity, ease, and relative low cost of monitoring physical data centers are going to be disappointed with their public cloud options.

What has been lacking is an easy, common, and elegant service like NetFlow for public cloud infrastructure.

NetFlow, of course, has had 20 years approximately to become a de facto requirement for network visibility. A normal implementation involves the tracking of traffic and aggregation of flows where the network chokes, the retrieval and storage of flow info from multiple collection points, and the analysis of this flow information.

Flows include a basic set of source and destination IP addresses and port and protocol info that is typically collected from a router or switch. Netflow data is reasonably low-cost and easy to collect and offers almost common network visibility and enables actionable analysis for both network tracking and
performance management applications.

Many IT staffs, specifically networking and some security groups are exceptionally comfortable with the technology.

But NetFlow was developed for fixing exactly what has actually ended up being a rather restricted problem in the sense that it just gathers network data and does so at a limited number of possible locations.

To make much better use of NetFlow, 2 crucial changes are needed.

NetFlow at the Edge: First, we need to expand the helpful implementation circumstances for NetFlow. Instead of only gathering NetFlow at network points of choke, let’s broaden flow collection to the network edge (cloud, servers and clients). This would greatly expand the overall view that any NetFlow analytics provide.

This would enable organizations to augment and leverage existing NetFlow analytics tools to eliminate the growing blind spot of visibility into public cloud activity.

Rich, contextual NetFlow: Second, we need to utilize NetFlow for more than basic network visibility.

Instead, let’s use an extended version of NetFlow and take account of data on the application, user, device, and binary responsible for each monitored network connection. That would enable us to quickly correlate every network connection back to its source.

In fact, these two modifications to NetFlow, are exactly what Ziften has actually achieved with ZFlow. ZFlow provides an broadened version of NetFlow that can be released at the network edge, including as part of a VM or container image, and the resulting info collection can be consumed and analyzed with existing NetFlow tools for analysis. Over and above standard NetFlow Internet Protocol Flow Info eXport (IPFIX) networking visibility, ZFlow supplies extended visibility with the inclusion of info on user, device, application and binary for every network connection.

Ultimately, this enables Ziften ZFlow to deliver end-to-end visibility in between any 2 endpoints, physical or virtual, eliminating standard blind spots like east-west traffic in data centers and enterprise cloud implementations.